but what is a threat, besides just a bad thing that could happen? the word threat is actually used in a number of different ways (and somewhat ambiguously) corresponding to the variety of ways threats can be classified/categorized... for example one can categorize threats by what's being threatened (ex. computers, networks, data, etc.), by what property of that thing is being threatened (ex. confidentiality, control, integrity, authenticity, availability, or usability), or even by the specific nature of how it's being threatened (ex. a DDoS attack, identity theft, etc)...
very often, however, the term threat is used to label the thing that is doing the threatening (ex. web-based threats)... despite being called threats, what these actually are are threat agents; that is they are agents that pose and sometimes carry out threats to whatever it is that is/was being threatened... usually, when something bad happens, something (some agent) caused it to happen so the obvious approach to preventing the bad thing from happening is to find some way to deal with the agent(s) that would cause it - in essence, addressing the security threat at the root, but in order to do that one needs to be aware of and consider the details peculiar to that type of agent, so . . .
at the most general level, the agents of concern in information technology are biological, technological, and environmental...
- biological
for our purposes, biological threats are usually people... they can be other things, of course - it's certainly possible for other living things to cause undesirable events with security implications (be it a moth stuck in a relay, or animals chewing through cables, etc.) but usually it's people and those people are either internal or external to the organization interested in that which is being threatened...- external people
these are almost exclusively blackhats, moreover they are people who start their attacks from the outside without any privileged access to the thing they're attacking... these could be crackers, virus spreaders, phishers, spammers, scammers, bot herders, or some other kind of malware profiteer... if they can be found, the law is generally the best (not necessarily the most effective, mind you, due to potential cross-jurisdictional complications) tool for eliminating the threat they pose... - internal people
often referred to as the insider threat, these are people who do have privileged access to the thing being threatened (or at least to means by which that thing can be accessed)... the insider threat can take the form of either a malicious insider or a thoughtless insider...- thoughtless insiders
the threat posed by thoughtless insiders is the threat of an accidental security breach... thoughtless insiders aren't trying to attack the system, they just forget to take the care they ought to take or just don't know any better... being insiders, they have privileged access to potentially valuable resources and are generally the only ones who can accidentally affect the security of those resources... because the nature of the threat is accidental, training is an obvious choice for dealing with the threat... though there are some dissenting opinions on the effectiveness of training, with the proper motivation (the stick is good, but it might be better with a carrot) suitable personnel should be capable of operating in a secure enough manner... - malicious insiders
unlike thoughtless insiders, malicious insiders are trying to attack the system... these are motivated and often intelligent attackers who may (but don't necessarily need to) use many of the same methods that external people do... also like external people, the law is a good tool for dealing with them and there's the added bonus that being an insider should obviate jurisdictional complications...
- thoughtless insiders
- external people
- technological
when i refer to technological agents, i'm referring to either software or hardware (the shades of grey in between those to are generally collapsible to one of those to, ex. firmware can be thought of as a special kind of software)...- hardware
there is all kinds of hardware that could be used to affect the security of a system (ex. taking a sledge hammer to a computer is probably going to affect the usability of that computer and the availability of any data that was on it) there are some kinds of hardware that pose intentional threats to the security of your data/computer/network... examples of hardware that pose a threat to the confidentiality of data include hardware keyloggers as well as RFID cloning hardware or even TEMPEST hardware... whether or not the hardware agent requires some kind of physical contact, it is a physical thing that can be found and/or can be blocked in some way (be it an air-gap or some kind of shielding)... - software
software agents are logical entities that (for the time being) generally can only directly affect other logical entities (ie. data)... they exist in some type of memory, whether it's RAM, the hard disk, an EPROM, or some other storage area, and can generally be located if one knows what to look for and the agent is in a state where it's incapable of interfering with that process... software threat agents can be further broken down into malware and other attack tools...- malware
malware is a kind of malicious software agent that runs on the victim machine... the category can be subdivided into many different types (which i've tried to do and will eventually continue to do in my what is it series of posts) but for now lets just stick to self-replicating (viral) and non-replicative (non-viral) malware...- non-replicative malware
non-replicative malware is the majority of what is being created and deployed right now... an instance of non-replicative malware is, by and large, an agent that acts as a proxy (not in the network sense, but in the more general sense) for the person deploying it - that is, it's carrying out that person's intent or acting for that person... for example, maybe they can't watch you log into your bank directly, but if they can fool you into running a keylogger or password stealer (or a dropper or downloader that in turn introduces a keylogger or password stealer) then that malware will watch you log in for them... as such, not only can we try to address the software agents themselves but we can also try to address the people responsible for them and hopefully eliminate them as a source of future malware... - self-replicating malware
self-replicating malware (viruses and worms) can act as proxies for a human agent, just as non-replicative malware does... however, unlike non-replicative malware, self-replicating malware doesn't stop affecting new victims when the person who made/deployed it grows tired of it and moves on... instead, self-replicating malware just keeps going and going no matter what happens to the person originally responsible for it...
- non-replicative malware
- other attack tools
not all software agents need to run on a victim's machine in order to affect security... mass mailers, password crackers, keygens, DoS tools, packet sniffers, and many others are all capable of doing bad things without running on a victim's machine and that means they can't be located and neutralized by the same means that malware can... generally speaking, dealing with the person who uses such tools (ie. external human agents) is probably going to be more feasible than trying to locate and eliminate instances of the software itself (though some anti-malware vendors have done an almost decent job of scaring people away from using many of these sorts of tools)...
- malware
- hardware
- environmental
environmental agents like fire, water, tornadoes, crashing vehicles, etc. are a little esoteric as agents go but they can affect data, computers, and networks, and not just their availability either... if a tornado tears through a building with confidential paper-based records, a hospital for example, those records may very well not stay confidential (it's raining medical charts!)... now for many other threat agents, dealing with them involved detecting/locating them and neutralizing the threat those specific agents posed (whether by changing, isolating, or eliminating the agent)... that also works for some environmental agents too (ex. you can detect a fire and extinguish it) but, as the tornado example indicates, sometimes you can't do anything to affect the agent (you may instead want to isolate the thing you wish to protect from the agent)...
(yes, i know i focused more on malware than anything else... i am a malware-centric sort of guy, after all... still, sometimes i like to think about the larger context and how malware fits into it...)
0 comments:
Post a Comment